华为VPN技术

LKAI.2024-11-20 23:08

1. 启动设备

2. 配置IP地址

FW1\]int g1/0/0 \[FW1-GigabitEthernet1/0/0\]ip add 192.168.1.254 24 \[FW1-GigabitEthernet1/0/0\]int g1/0/1 \[FW1-GigabitEthernet1/0/1\]ip add 100.1.1.1 24 \[FW1-GigabitEthernet1/0/1\]service-manage ping permit \[FW2\]int g1/0/0 \[FW2-GigabitEthernet1/0/0\]ip add 192.168.2.254 24 \[FW2-GigabitEthernet1/0/0\]int g1/0/1 \[FW2-GigabitEthernet1/0/1\]ip add 200.1.1.2 24 \[FW2-GigabitEthernet1/0/1\]service-manage ping permit \[AR1\]int g0/0/0 \[AR1-GigabitEthernet0/0/0\]ip add 100.1.1.2 24 \[AR1-GigabitEthernet0/0/0\]int g0/0/1 \[AR1-GigabitEthernet0/0/1\]ip add 200.1.1.1 24 **3.** **配置Tunnel接口** \[FW1\]int Tunnel 0 \[FW1-Tunnel0\]ip add 172.16.1.1 24 \[FW1-Tunnel0\]tunnel-protocol gre \[FW1-Tunnel0\]source 100.1.1.1 \[FW1-Tunnel0\]destination 200.1.1.2 \[FW2\]int Tunnel 0 \[FW2-Tunnel0\]ip add 172.16.1.2 24 \[FW2-Tunnel0\]tunnel-protocol gre \[FW2-Tunnel0\]source 200.1.1.2 \[FW2-Tunnel0\]destination 100.1.1.1 **4.** **将防火墙接口加入指定区域** \[FW1\]firewall zone trust \[FW1-zone-trust\]add int g1/0/0 \[FW1-zone-trust\]q \[FW1\]firewall zone untrust \[FW1-zone-untrust\]add int g1/0/1 \[FW1-zone-untrust\]add int Tunnel 0 \[FW2\]firewall zone trust \[FW2-zone-trust\]add int g1/0/0 \[FW2-zone-trust\]q \[FW2\]firewall zone untrust \[FW2-zone-untrust\]add int g1/0/1 \[FW2-zone-untrust\]add int Tunnel 0 **5.** **配置OSPF** \[FW1\]ospf 1 \[FW1-ospf-1\]area 0 \[FW1-ospf-1-area-0.0.0.0\]network 100.1.1.0 0.0.0.255 \[AR1\]ospf 1 \[AR1-ospf-1\]area 0 \[AR1-ospf-1-area-0.0.0.0\]network 100.1.1.0 0.0.0.255 \[AR1-ospf-1-area-0.0.0.0\]network 200.1.1.0 0.0.0.255 \[FW2\]ospf 1 \[FW2-ospf-1\]area 0 \[FW2-ospf-1-area-0.0.0.0\]network 200.1.1.0 0.0.0.255 **6.** **配置路由条目** \[FW1\]ip route-static 192.168.2.0 24 Tunnel 0 \[FW2\]ip route-static 192.168.1.0 24 Tunnel 0 **7.** **配置防火墙策略** \[FW1\]security-policy \[FW1-policy-security\]rule name local-untrust \[FW1-policy-security-rule-local-untrust\]source-zone local \[FW1-policy-security-rule-local-untrust\]destination-zone untrust \[FW1-policy-security-rule-local-untrust\]source-address 100.1.1.0 0.0.0.255 \[FW1-policy-security-rule-local-untrust\]destination-address 200.1.1.0 0.0.0.255 \[FW1-policy-security-rule-local-untrust\]action permit \[FW1-policy-security-rule-local-untrust\]q \[FW1-policy-security\]rule name untrust-local \[FW1-policy-security-rule-untrust-local\]source-zone untrust \[FW1-policy-security-rule-untrust-local\]destination-zone local \[FW1-policy-security-rule-untrust-local\]source-address 200.1.1.0 0.0.0.255 \[FW1-policy-security-rule-untrust-local\]destination-address 100.1.1.0 0.0.0.255 \[FW1-policy-security-rule-untrust-local\]action permit \[FW1-policy-security-rule-untrust-local\]q \[FW1-policy-security\]rule name trust-untrust \[FW1-policy-security-rule-trust-untrust\]source-zone trust \[FW1-policy-security-rule-trust-untrust\]destination-zone untrust \[FW1-policy-security-rule-trust-untrust\]source-address 192.168.1.0 0.0.0.255 \[FW1-policy-security-rule-trust-untrust\]action permit \[FW1-policy-security-rule-trust-untrust\]q \[FW1-policy-security\]rule name untrust-trust \[FW1-policy-security-rule-untrust-trust\]source-zone untrust \[FW1-policy-security-rule-untrust-trust\]destination-zone trust \[FW1-policy-security-rule-untrust-trust\]action permit \[FW2\]security-policy \[FW2-policy-security\]rule name untrust-local \[FW2-policy-security-rule-untrust-local\]source-zone untrust \[FW2-policy-security-rule-untrust-local\]destination-zone local \[FW2-policy-security-rule-untrust-local\]action permit \[FW2-policy-security-rule-untrust-local\]q \[FW2-policy-security\]rule name local-untrust \[FW2-policy-security-rule-local-untrust\]source-zone local \[FW2-policy-security-rule-local-untrust\]destination-zone untrust \[FW2-policy-security-rule-local-untrust\]action permit \[FW2-policy-security-rule-local-untrust\]q \[FW2-policy-security\]rule name trust-untrust \[FW2-policy-security-rule-trust-untrust\]source-zone trust \[FW2-policy-security-rule-trust-untrust\]destination-zone untrust \[FW2-policy-security-rule-trust-untrust\]source-address 192.168.2.0 0.0.0.255 \[FW2-policy-security-rule-trust-untrust\]action permit \[FW2-policy-security-rule-trust-untrust\]q \[FW2-policy-security\]rule name untrust-trust \[FW2-policy-security-rule-untrust-trust\]source-zone untrust \[FW2-policy-security-rule-untrust-trust\]destination-zone trust \[FW2-policy-security-rule-untrust-trust\]source-address 192.168.1.0 0.0.0.255 \[FW2-policy-security-rule-untrust-trust\]action permit **8.** **配置NAT策略** \[FW1\]nat-policy \[FW1-policy-nat\]rule name trust-untrust \[FW1-policy-nat-rule-trust-untrust\]source-zone trust \[FW1-policy-nat-rule-trust-untrust\]destination-zone untrust \[FW1-policy-nat-rule-trust-untrust\]source-address 192.168.1.0 0.0.0.255 \[FW1-policy-nat-rule-trust-untrust\]action source-nat easy-ip \[FW2\]nat-policy \[FW2-policy-nat\]rule name trust-untrust \[FW2-policy-nat-rule-trust-untrust\]source-zone trust \[FW2-policy-nat-rule-trust-untrust\]destination-zone untrust \[FW2-policy-nat-rule-trust-untrust\]source-address 192.168.2.0 0.0.0.255 \[FW2-policy-nat-rule-trust-untrust\]action source-nat easy-ip **验证：** **1.pc2ping** **通pc1** ![](https://i-blog.csdnimg.cn/direct/a732c73bc621449690661d69fffe9810.png) **2.** **查看FW2防火墙会话表（看GRE协议的数据包走向）** ![](https://i-blog.csdnimg.cn/direct/cfd17827e61a47968bcf9fdb0043c93a.png) **3.** **查看NAT地址转换（pc2ping100.1.1.1时，查看防火墙会话表，可以看到私网地址转换成200.1.1.2后访问100.1.1.1）** ![](https://i-blog.csdnimg.cn/direct/98bd075ad39c4a01834d152e183ac23a.png) **4.** **抓FW2G1/0/1端口的包查看（GRE的端口是47）** ![](https://i-blog.csdnimg.cn/direct/324da126ab134f369df65e5ecfb4c322.png)

上一篇：Redis ZSet 类型深度解析：底层数据结构与应用场景

下一篇：【话题】抓住鸿蒙生态崛起的机遇：挑战与对策

热门推荐

01GitHub 镜像站点 02BongoCat - 跨平台键盘猫动画工具 03【保姆级教程】免费使用Gemini3的5种方法！免翻墙/国内直连 04UV安装并设置国内源 05Google Antigravity：无法登录？早期错误、登录修复和用户反馈指南 06安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口（持续更新）07Linux下V2Ray安装配置指南 08今天 Cloudflare 全球事故，连 GPT 和你的网站都一起“掉线”了 09全球最强模型Grok4，国内已可免费使用！（附教程）1046个Nano-banana 精选提示词，持续更新中